First malicious AI-MCP server discovered

Security researchers have identified what they believe to be the world’s first malicious Model Context Protocol (MCP) server, which has been made available as open source on GitHub, a Microsoft-owned code repository. MCP, created by Anthropic, has faced criticism for its optional security measures and inherent vulnerabilities. This protocol aims to standardise connections between AI applications and external data sources, tools, and APIs, thereby eliminating the need for custom integrations. Recently, endpoint security vendor Koi discovered a malicious version of the postmark-mcp package, which is used for sending emails through the Postmark service. The malicious code was introduced in version 1.0.16, which added a line that forwarded emails via blind carbon copy (BCC) to an account seemingly hosted in France.

The original postmark-mcp package is maintained by ActiveCampaign, the organisation behind Postmark. Koi suspects that an attacker took the legitimate repository, inserted the malicious BCC line, and republished it on npm. ActiveCampaign confirmed the incident, clarifying that they had no involvement with the malicious package. They stated, “A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC’d emails to an external server.” The Postmark team has advised users of the fake package to remove it immediately, check email logs, and rotate any credentials that may have been compromised. Koi reported that the fake postmark-mcp had 1,500 weekly downloads, with estimates suggesting that between 3,000 and 15,000 emails were forwarded to the attacker daily. Koi’s findings indicate that the MCP model may be fundamentally flawed, as it grants extensive permissions to tools created by unverified individuals.